Thursday, April 29, 2010

Remvoe Antivrsystem.com (Uninstall guide)

Antivrsystem.com is yet another misleading website related to Antispyware Soft malware. It may look like a legitimate website that promotes anti-spyware software, but it's actually fake. The website provides false information and promotes rogue anti-spyware program. Cyber criminals don't even bother and use the same web template for newly created scam websites. Antivrsystem.com doesn't host harmful files at the moment, but the situation can change at any moment. That's why we strongly recommend you to avoid Antivrsystem.com and add it to a list of restricted websites.

If your computer is already infected with Antispyware Soft then you can be redirected to antivrsystem.microsft.com instead of antivrsystem.com. Please note that Antispyware Soft and antivrsystem.com has nothing to do with Microsoft Corp. Now, the most important question is how to remove AntispywareSoft? Thankfully, this malware can be removed for free using legitimate anti-malware programs. More information here: Antispyware Soft removal instructions. If you have any question or additional information about this malware, please don't hesitate and leave a comment. Good luck and be safe!

Screenshot of Antivrsystem.com


Share this information with other people:

How to remove the AP Manager (Uninstall guide)

AP Manager is a fake download manager and a part of the I-Q Manager Copyright violation scam. It claims to be very fast and powerful download management software, but that's not true. If you are reading this article then your computer is probably infected with this malware. And you probably got it from a fake website that is affiliated with APManager. Usually, those misleading websites provide copyrighted games, movies, and music. Of course you may download any movie or song you like from those websites, but you have to use AP Manager for that. The copyrighted media will be added to the AP Manager download list. Just like any other download manager it will show basic information about your download such as how much time is left, the amount of KB transferred and the speed of the download. However, this information is false. It only pretends to download the file to your computer but in reality nothing is being downloaded to your computer.



Once the file has ostensibly been downloaded to your computer, a new window titled "Copyright Violation Alert" will show up. It will attempt to convince you to pay a fee for copyrighted material that you have just downloaded. The fake Copyright Violation Alert reads:

"Copyright violation alert
Copyright violation: copyrighted content detected
Windows has detected that you are using content that was downloaded in violation of the copyright of its respective owners. Please read the following bulletin and try solving the problem in one of the recommended ways."



That's only a part of the whole statement, but basically it was made to look like a legitimate warning from a law firm that represents different copyright associations. It will ask you to pay a fine of around $50 dollars; otherwise it will notify the authorities and your case will supposedly be handled in a court.

AP Manager will also constantly display fake warnings from the Windows task bar as shown in the image below.



The biggest problem is that this threat then may lock the compromised computer until the user enters a correct license number for the program. Thankfully, S!Ri posted a registration code which should unlock your computer: RFHM2-TPX47-YD6RT-H4KDM.

To sum things up, AP Manager is a Trojan horse that pretends to be a download management program. Once installed, it will try to trick you into paying money for fake copyright violations. If you have already paid a fine, then you should contact your credit card company immediately and dispute the charges. Next, please follow the removal instructions below to remove AP Manager and any associated malware from your computer as soon as possible. If you have any questions or additional information about this virus, please leave a comment. Good luck and be safe!


AP Manager removal instructions:

1. Click Start -> Control Panel
2. When in the Control Panel, double-click on one of the options below depending on your version of Windows
a) Add or Remove Programs icon (for Windows XP users)
b) Uninstall Program (for Windows Vista and Windows 7 users)
3. The Add or Remove Programs (Windows XP) or the Uninstall Program (Windows Vista & 7) screen will be displayed. Scroll through the list of programs and look for entries with I-Q Manager and AP Manager, uninstall them. You are done, close the Control Panel screen.
NOTE: If the programs ask you to reboot your computer, do not allow it to reboot until you have uninstalled all of the program.

Your computer should now be free of the I-Q Manager or Copyright Violation: Copyrighted Content Detected  and AP Manager malware. However, if it's still on your computer then complete these additional steps:

1. Click Start -> Run.
2. Input: regedit. Then click OK.
3. Navigate to and delete the following registry entries and subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"iqmanager.exe" = "%UserProfile%\Application Data\IQManager\iqmanager.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IQManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APManager
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "apmanager.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\APManager\apmanager.exe"
4. Exit the Registry Editor.
5. Download one of the following anti-malware programs (all programs are free):
6. Install selected anti-malware program, update it and run a full system scan.


AP Manager files and registry values:

Files:
  • %UserProfile%\Application Data\APManager
  • %UserProfile%\Application Data\APManager\apmanager.exe
  • %UserProfile%\Application Data\APManager\settings.ini
  • %UserProfile%\Application Data\APManager\uninstall.exe
  • %UserProfile%\Application Data\APManager\wallpaper.jpg
  • %UserProfile%\Application Data\APManager\files\
  • %UserProfile%\Application Data\APManager\iplog\
  • %UserProfile%\Application Data\APManager\ispinfo\
  • %UserProfile%\Application Data\APManager\languages\
  • %UserProfile%\Application Data\APManager\metafiles\
Registry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APManager HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "apmanager.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\APManager\apmanager.exe"
Share this information with other people:

Tuesday, April 27, 2010

Remove antivirusexpertsoft.com and avexpertsoft.com (Free removal)

Antivirusexpertsoft.com and avexpertsoft.com are two misleading websites related to Antispyware Soft malware. These two websites are identical and full of false information about rogue antivirus program. They don't host malicious or harmful files at the moment, but you should still avoid them as the situation may change at any time. Note that if your computer is already infected with Antispyware Soft you may see antivirusexpertsoft.microsoft.com and avexpertsoft.microsoft.com in your web browser's address bar. Of course, this doesn't mean that Antispyware Soft is somehow related to Microsoft. That's an old trick, but it's still very popular and makes the whole scam look more realistic.

If you find that your computer is already infected with Antispyware Soft virus or you are being constantly redirected to antivirusexpertsoft.com or avexpertsoft.com, then please follow the Antispyware Soft removal instructions. Also, of you have any questions or additional information about this threat, don't hesitate and leave a comment. Good luck and be safe!

Screenshot of antivirusexpertsoft.com and avexpertsoft.com


Share this information with other people:

Sunday, April 25, 2010

Remove security-engine.com (Free removal)

Security-engine.com is a misleading website that promotes the My Security Engine malware. In fact, it's a typical scareware that displays fake warnings and reports false system security threats to make you think that your computer is infected with malicious software when in reality it's perfectly clean except the My Security Engine badware itself. Security-engine.com doesn't host rogue programs at the moment, but it does provide an online purchase page of My Security Engine. And it's full of false information that may deceive users, so you should avoid Security-engine.com.

However, if you find that your computer is infected with My Security Engine rogue antivirus program or you are being constantly redirected to Security-engine.com then please read how to remove My Security Engine. If you have any questions or additional information about this malware, don't hesitate and leave a comment. Good luck and be safe!

Screenshot of Security-engine.com:



Share this information with other people:

Remove Vir'O'Fire rogue antivirus program (Free removal)

Vir'O'Fire (virofire) is a Polish rogue anti-virus program. It can be downloaded from pl.virofire.eu and it has to be manually installed. As you can see from its web page, Vir'O'Fire is almost a perfect copy of ThreatFire from PC Tools. If you want to run the rogue program you have to send an SMS and get back the code to unlock it. It goes without saying that you shouldn't download/install/purchase it. Vir'O'Fire is a scam. Please watch a short video about this malware made by rogueamp. If you think that your computer could have been compromised, then you should run a full system scan with legitimate anti-malware software. You may choose one from the list below. Good luck and be safe!


Screenshot of pl.virofire.eu:


Screenshot of threatfire.com:


Share this information with other people:

Friday, April 23, 2010

Pconguard.com scam (Free removal)

Pconguard.com is a misleading website that promotes rogue anti-virus programs. At the moment, it promotes Virus Protector. Pconguard.com provides false information about ostensibly legitimate security software but ironically there is a link to SW Protector (Software Protector) purchase page. So, it's not clear after all what program cyber criminals distribute on that website. However, what we know for sure is that Pconguard.com should be added to a list of potentially dangerous and malicious websites.

If you are being constantly redirected to Pconguard.com, then this means that your computer is infected with malicious software. It could be Virus Protector, Software Protector or any other malware (usually Trojan horse that promotes rogue programs). One way or another, we strongly recommend you to scan your computer with legitimate and reputable anti-malware or anti-spyware software listed below.
If you have any questions or additional information about this infection please don't hesitate and leave a comment.

Pconguard.com screenshot


Share this information with other people:

How to remove My Security Engine (Uninstall guide)

My Security Engine is a rogue anti-virus program that may cause serious system performance issues on your computer. This fake program is from the same family as CleanUp Antivirus malware. It performs fake system scan and reports false system security threats to make you think that your computer is infected with malicious software (spyware, adware, Trojans and etc.). The scan results are false. My Security Engine creates numerous harmless files upon installation and then flags those files as infected ones. How rude. Finally, it asks to pay for a full version of the program to remove the infections which don't exist. In other words, MySecurityEngine is a scam.



My Security Engine video: (thanks to rogueamp)


If you are reading this article, then your computer is probably infected with this scareware. Thankfully, we've got removal instructions to help. This fake program can be removed from your computer for free using legitimate and reputable anti-malware applications. Please follow the removal instructions below.

You may wonder how you got infected with this badware? Well, usually, such fake programs as My Security Engine come from fake online scanners, misleading online video websites or any other compromised/malicious website. It may come bundled with other malware too. Please also note that cyber criminals promote their bogus products on popular social networks. Once installed, the rogue program displays fake warnings about infected files and possible attacks from a remote computer. Some of the fake warnings read:

"Your PC may still be infected with dangerous viruses. My Security Engine protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection."

"My Security Engine has detected potentially harmful software in your system. It is strongly recommended that you register My Security Engine to remove all found threats immediately. "

Furthermore, MySecurityEngine will modify Windows Hosts file and hijack Internet Explorer. You will be redirected to various misleading websites. There is a chance that you won't be able to visit certain security related websites and your search queries will be redirected to findgala.com.

It goes without saying that you should uninstall My Security Engine from your computer as soon as possible. Most importantly, don't purchase it. If you have already purchased it, then please contact your credit card company and dispute the charges. If you have any questions or additional information about this malware please don't hesitate and leave a comment. Good luck and be safe!


My Security Engine removal instructions (method #1):

Download one of the following legitimate anti-malware applications and run a quick system scan. Don't forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.


Removing My Security Engine in Safe Mode with Networking (method #2):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.

My Security Engine files and registry values:

Folders and files:
  • C:\Documents and Settings\All Users\Application Data\345d567
  • C:\Documents and Settings\All Users\Application Data\345d567\2322.mof
  • C:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
  • C:\Documents and Settings\All Users\Application Data\345d567\MS345d.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\MSE.ico
  • C:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
  • C:\Documents and Settings\All Users\Application Data\MSHOLE\
  • %UserProfile%\Application Data\My Security Engine\
  • C:\Program Files\Mozilla Firefox\searchplugins\search.xml
Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\MS345d.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" ="http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "My Security Engine"
  • HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"

Share this information with other people:

Tuesday, April 20, 2010

Remove Swprotector.com (Uninstall guide)

Swprotector.com is a misleading web site that promotes fake software called Software Protector or SW Protector. Most likely, Software Protector is yet another rogue anti-virus program from the same family as Virus Protector. Swprotector.com is full of false information. You may even buy the rogue program on that web site. Of course, you should purchase this program because it's fake.

The bogus web site itself isn't harmful and doesn't host harmful files, but the situation may change at any time so you should avoid Swprotector.com or any similar web sites that promote rogue security products. If you suspect that might be already installed on your computer and it's related to Swprotector.com Software Protector malware, then you should scan your PC with legitimate and reputable anti-malware or anti-spyware software. You may find a list of reputable and free anti-malware program below. Good luck and be safe!

Screenshot of Swprotector.com


Pay page of Software Protector


Share this information with other people:

How to remove Windows Performance Center (Uninstall guide)

Windows Performance Center is a fake pop-up/warning that impersonates Microsoft Windows XP Security Center and reports false system security threats to make you think that your sensitive information is not secure or that your computer is infected with malware. It's a part of rogueware attack. Usually, clicking on a malicious search result yields this fake Windows Performance Center warning. If you click on the "Fix all" button then another pop up will show up and will prompt you to install the rogue anti-virus program called Security Tool (could be any other rogue program actually) to remove the infections which don't even exist.

If you find that your computer is infected with Security Tool or any other rogue antivirus program, please use a reputable anti-malware program to remove malware form your computer as soon as possible. You may choose from several legitimate and free anti-spyware or anti-malware programs to remove Windows Performance Center malware.
In case of Security Tool malware infection, please read this article: How to remove Security Tool.
If you have any questions or additional information about this infection please leave a comment. Good luck and be safe!



Share this information with other people:

Monday, April 19, 2010

Remove Alphaantivir.com (Free removal)

Alphaantivir.com is a misleading web site that promotes the rogue anti-spyware program called Antispyware Soft. If your computer is already infected with this malware then you may see Alphaantivir.microsoft.com instead of Alphaantivir.com in your web browser's address bar. However, please note that Microsoft has nothing to do with this scan campaign. Alphaantivir.com is a typical fake web site that provides false information about Antispyware Soft. Such web sites usually doesn't host any malicious or harmful files so they can't infect your computer directly. On the other hand, such fake web sites as Alphaantivir.com may redirect you other pages that host malware. One way or another, you should avoid such misleading web sites.

If you find that your computer is infected with the rogue program, please follow Antispyware Soft removal instructions. And remember, don't purchase it. If you have already bought this fake program then you should contact your credit card company and dispute the charges. If you have any questions or additional information about this infection, don't hesitate and leave a comment. Good luck!

Screenshot of Alphaantivir.com


Share this information with other people:

How to remove Antispyware Soft (Uninstall guide)

Antispyware Soft is a fake anti-spyware program that reports false system security threats to make you think that your computer is infected with malicious software. Basically, it's a clone of widely spread rogue program called Antivirus Soft. Some users wrote for us that Antispyware Soft just appeared and started to scan their computers and that they got disconnected from the Internet. They cannot run any programs at all or install anything. They are actually right; these are the main symptoms of AntispywareSoft malware. If you are reading this article then your computer is probably infected with pesky virus. Thankfully, this fake program can be removed for free using legitimate anti-malware programs. Please follow the removal instructions below to uninstall Antispyware Soft from your computer.



Antivirus Soft video: (http://www.youtube.com/watch?v=LYHXOkRlOdM)


The most annoying thing about this fake program is that Antispyware Soft blocks nearly all legitimate programs and of course it blocks anti-virus and anti-spyware programs in the first place. It displays an error message with the following text:

"Security warning
Application cannot be executed. The file rundll32.exe is infected. Do you want to activate your antivirus software now?"

In reality, thought, rundll32.exe isn't infected; Antispyware Soft just wants to make you think that it is. As usual, rogue programs display many fake security warnings and AntispywareSoft is not an exception. It also constantly displays fake alerts stating that your computer is infected with malware. The rogue program impersonates Windows Security Center and reports several fake infections, for example:

"Antvirus software alert
Infiltration alert - Virus attack
Your computer is being attacked by internet virus. It could be a password stealing attack, a trojan - dropper or similar.
Threat: Win32/Nuqel.E
Threat: BankerFox.A"

It gives another threat every few seconds. This fake program is prompted through the use of such misleading web sites as Alphaantivir.com or Trojans. It may come bundled with other malware too.



Now, the most important question is how to remove this malware from PC? First of all, you will have to reboot your computer is Safe Mode with Networking, disable proxy server for Internet Explorer and download free and reputable anti-malware program to remove this infection. If you can't reboot your computer is Safe Mode with Networking then you will have to use HijackThis tool to stop the main processes of Antispyware Soft malware. Please follow detailed Antispyware Soft removal instructions below. Most importantly, don't purchase it. If you have already purchased this fake program then you should contact your credit card company and dispute the charges. If you have any questions or additional information about this virus please don't hesitate and leave a comment. Good luck and be safe!


Antispyware Soft removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Alternative Antivirus Soft removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 – HKLM\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwctssd.exe
O4 – HKCU\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwctssd.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555


The process name will be different in your case. But it has the same structure: [RANDOM]tssd.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Antispyware Soft associated files and registry values:

Files:
  • %UserProfile%\Local Settings\Application Data\[random]
  • %UserProfile%\Local Settings\Application Data\[]random\[random]tssd.exe
Registry values:
  • HKEY_CURRENT_USER\Software\AvScan
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[random]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random]

Share this information with other people: 

Wednesday, April 14, 2010

Remove 411online-scanner-free.org browser hijacker (Uninstall guide)

411online-scanner-free.org is yet another malicious web site classified as a browser hijacker that promotes the rogue anti-spyware program called Antivirus Plus. It's a typical browser hijacker that reports false system security threats to make you think that your computer is infected with malicious software. You shouldn't download or install anything from 411online-scanner-free.org as you may end update with infected computer.

The rogue program itself is just another scam that uses misleading methods to trick you into purchasing the program. If your PC was inadvertently infected by this malware, then you should use legitimate anti-malware software to remove it from your computer as soon as possible. You can choose from:
Good luck and be safe!

411online-scanner-free.org screen shot


Share this information with other people:

Remove "Copyright Violation: Copyrighted Content Detected" fake warning (Uninstall guide)

Fake warning "Copyright Violation: Copyrighted Content Detected" is a part of ransomware infection that attempts to convince you to pay a fee for allegedly found copyrighted material on your computer. Actually it's a Trojan horse Trojan.Fakecopyright [Symantec]. Once this Trojan is installed, it will scan your computer for .torrent files and then will display fake Copyright Violation alert window stating that copyrighted material have been found and that you should pay a fee ($399.85) or they will pass your case to the courts where you will be tried by a judge. That's ridiculous, you shouldn't trust it. This is yet another scam. If you find that your computer is infected with I-Q Manager Antipiracy foundation (Copyright Violation: Copyrighted Content Detected) ransomware please follow the removal instructions below to remove it from your PC as soon as possible.




(Video by rogueamp)

"Copyright violation alert
Copyright violation: copyrighted content detected
Windows has detected that you are using content that was downloaded in violation of the copyright of its respective owners. Please read the following bulletin and try solving the problem in one of the recommended ways."



If you select the "Pass the case to court", or "Settle case in pre-trial order", the threat will attempt to display a web page that contains an online order form for the amount of $399.85.



The biggest problem is that this threat then may lock the compromised computer until the user enters a correct license number for the program. Thankfully, S!Ri posted a registration code which should unlock your computer: RFHM2-TPX47-YD6RT-H4KDM. (I haven't tested it, so I don't know for sure)

The home page of the bogus ICPP Foundation is icpp-online.com (193.33.114.77). You should add it and add icpp-online.com to the list of blocked web sites. Also note that this fake Copyright Violation alert has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish.


"Copyright Violation: Copyrighted Content Detected" or I-Q Manager alert removal instructions:

1. Click Start -> Control Panel
2. When in the Control Panel, double-click on one of the options below depending on your version of Windows
a) Add or Remove Programs icon (for Windows XP users)
b) Uninstall Program (for Windows Vista and Windows 7 users)
3. The Add or Remove Programs (Windows XP) or the Uninstall Program (Windows Vista & 7) screen will be displayed. Scroll through the list of programs and look for entries with I-Q Manager, uninstall them. You are done, close the Control Panel screen.
NOTE: If the programs ask you to reboot your computer, do not allow it to reboot until you have uninstalled all of the program.

Your computer should now be free of the I-Q Manager or Copyright Violation: Copyrighted Content Detected malware. However, if it's still on your computer then complete these additional steps:

1. Click Start -> Run.
2. Input: regedit. Then click OK.
3. Navigate to and delete the following registry entries and subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"iqmanager.exe" = "%UserProfile%\Application Data\IQManager\iqmanager.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IQManager
4. Exit the Registry Editor.
5. Download one of the following anti-malware programs (all programs are free):
6. Install selected anti-malware program, update it and run a full system scan.


I-Q Manager or Copyright violation alert files and registry values:

Files:
  • %UserProfile%\Application Data\IQManager
  • %UserProfile%\Application Data\IQManager\iqmanager.exe
  • %UserProfile%\Application Data\IQManager\settings.ini
  • %UserProfile%\Application Data\IQManager\torrents
  • %UserProfile%\Application Data\IQManager\languages
Registry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IQManager
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "iqmanager.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\IQManager\iqmanager.exe"
Share this information with other people:

Tuesday, April 13, 2010

Remove fake "Security breach!" warning (Uninstall guide)

If you see a notification that pops up from the Windows taskbar and it's titled "Security breach!" then your computer is infected with XP Internet Security 2010 malware. Fake Security breach! alert reads:

"Security breach!
Beware! Spyware infection was found. Your system security is at risk. Private information may get stolen, and your PC activity may get modified. Click for an anti-spyware scan."

Here's how it looks like:


As you can see, it looks like a legitimate notification from the Windows taskbar. However, this one is fake and it's a part of XP Internet Security 2010 scam. The rogue program wants to make you think that your computer is infected with malicious software. Then it prompts you to pay for a so called "full" version of the program to remove the infections which don't actually exist. Most importantly, don’t purchase this bogus program! If you find that your computer is infected with this malware and you constantly see "Security breach!" notification on your computer screen, then please follow the XP Internet Security 2010 removal instructions to remove this virus from your computer for free using legitimate anti-malware programs. If you have any questions or additional information about this infection, don't hesitate and leave a comment. Good luck and be safe!

Share this information with other people:

Remove "Virus infection!" fake pop-up (Uninstall guide)

Yet another fake XP Internet Security 2010 notification:

"Virus infection!
System security was found to be compromised. Your computer is now infected. Attention, irreversible system changes may occur. Private data may get stolen. Click here now for an instant anti-virus scan."



This fake warning states that your sensitive information can be stolen. Just like all the other fake warnings from XP Internet Security 2010 malware, "Virus infection!" was made to scare you into thinking that your computer is infected with malicious software. Then the rogue program prompts you to pay for a full version of the program to remove the infections which in reality don't even exist. Don't purchase it! Instead, please use the XP Internet Security 2010 removal instructions to remove this virus from your computer for free using legitimate anti-malware programs. If you have already purchased this phony program then you contact your credit card company and dispute the charges. If you have any questions or additional information about this infection, please don't hesitate and leave a comment. Good luck and be safe!

Share this information with other people:

Monday, April 12, 2010

Remove Antivirus-armature.com (Uninstall guide)

Antivirus-armature.com is a misleading web site that promotes the rogue anti-virus program called Antivirus Suite. It's a typical fake web site full of false information about illegitimate anti-virus program. There are many such web sites and obviously we can’t inform our visitors about each of them separately. However, we’ve got several complaints about Antivirus Armature infection. One of our readers thought that Antivirus-armature.com is an infection itself, but actually it's only a part of malware infection.

If you are being constantly redirected to Antivirus-armature.com or similar web sites then this mean that your computer is infected with either Antivirus Suite malware or Trojans that promote rogue programs. Now, if you find that your computer is infected with Antivirus Suite malware, please read our blog entry how to remove Antivirus Suite. If you don't know what infection you have on your computer then you should scan your PC with a legit anti-malware or anti-virus program. You may choose from thee following free anti-malware programs:
If you have any questions or useful information about this infection don't hesitate and leave a comment. Good luck and be safe!



Share this information with other people:

Saturday, April 10, 2010

How to remove Digital Protection malware (Uninstall guide)

Digital Protection is a fake antivirus program from the same family as Dr. Guard and User Protection. DigitalProtection is a typical rogue security program that displays fake warnings about malware infection on your computer and reports false system security threats to make you think that your PC is infected with spyware, adware and various other malicious software. As usual, such bogus programs are promoted through the use of Trojans that most of the time come from fake online anti-malware scanners or misleading video web sites. Cyber criminals may also use social engineering to distribute their bogus product.



Can Digital Protection steal your personal information? Well, usually such programs don't steal passwords or other personal information. However, please note that it may come bundled with other malware and it can be actually password stealing Trojans or similar programs, so we highly recommend you to scan your computer with legit and reliable anti-virus or anti-malware programs. Don't rely on on one anti-malware program. You should scan your computer with at least two programs to make sure that there are no other malware installed on your PC.

As a typical rogue anti-virus program Digital Protection displays fake warning and fake infections to scare you into purchasing the program. Some of the fake security alerts will state:

"Warning! Virus threat detected!
Virus activity detected!
Trojan-Clicker.Win32 adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."

"A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click on the message to remove it."

Most importantly, don't purchase Digital Protection because it's a scam. Instead, you should uninstall it from your computer as soon as possible. Please use the removal instructions below to remove Digital Protection malware. The rogue program may come bundled with TDSS rootkit. If so, then you should use the second removal method (Method 2) or read the TDSS rootkit removal instructions. If you have any questions or useful information about this infection, don't hesitate and leave a comment. Good luck and be safe!


Digital Protection removal instructions (in Safe Mode with Networking, Method 1):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Digital Protection removal instructions: (Method 2)

1. Download the file TDSSKiller.zip and extract it into a folder
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Digital Protection associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\[random].dll
  • %UserProfile%\Start Menu\Programs\Digital Protection
  • C:\Program Files\Digital Protection
  • C:\Program Files\Digital Protection\dig.db
  • C:\Program Files\Digital Protection\digext.dll
  • C:\Program Files\Digital Protection\dighook.dll
  • C:\Program Files\Digital Protection\digprot.exe
  • C:\Program Files\Digital Protection\Uninstall.exe
  • %Temp%\4otjesjty.mof
  • %Temp%\asd1.tmp
  • %Temp%\davclnt.exe
  • %Temp%\dhdhtrdhdrtr5y
  • %Temp%\dig.dat
Registry:
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Digital Protection"
Please share this information with other people:

Wednesday, April 7, 2010

Remove Avtivirus-fortress.com (Uninstall guide)

Avtivirus-fortress.com is a misleading web site that promotes the rogue anti-virus program called Antivirus Suite. It doesn't host harmful files at the moment (of course that might change at any time), but it provides false information and misleads users into purchasing the rogue program. There are many fake reviews and feedback from people all around the world on avtivirus-fortress.com web site. And it also stands for a pay page of Antivirus Suite. It goes without saying that you should avoid Avtivirus-fortress.com.

If you are being constantly redirected to avtivirus-fortress.com then this means that your computer is already infected with Antivirus Suite malware. Thankfully, this infection can be removed from a computer entirely for free using legitimate anti-malware programs. Please follow Antivirus Suite removal instructions and remove this annoying virus from your PC as soon as possible. If you have any questions or additional information about this infection, don't hesitate and leave a comment. Good luck and be safe!



Share this information with other people:

Saturday, April 3, 2010

How to remove "Your Protection" malware (Uninstall guide)

"Your Protection" is a fake anti-virus program and it's a clone of User Protection malware. Needless to say, that this fake program should be removed from your computer immediately. If you are reading this article, then your computer is probably infected with Your Protection virus.

So, what is it and how to remove this infection? Basically, it's a trojan virus that pretends to be legitimate antivirus software. The rogue program comes mostly from fake online anti-malware scanners, compromised web sites, or through software vulnerabilities (web browser, pdf and etc). Once installed, it displays fake warnings, pop-ups and reports false system security threats to make you think that your PC is infected with malicious software, whereas the only real infection is YourProtection. Thankfully, we've got instructions to help you.



Just like it's predecessors, Your Protection attempts to uninstall legitimate anti-virus anti-spyware programs from from your computer. It scans computer for the following antivirus programs: avast!, AVG, Avita AntiVir, NOD32, F-Secure and others. The rogue program states that found anti-virus program is infected and that you need to uninstall it. That's of course not true.

When running, this scareware also displays many fake security warnings. Some of them will state:

"User's activity loggers detected!
It's strongly recommended to remove detected threats right now!"

"Zlob.Porn.Ad adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."



"Danger!
A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click on the message to remove it."

Of course, you will probably see more of these fake alerts on your computer screen. Also, you may find several porn icons on your Desktop. That's a part of this infection. Those shortcuts redirects user to porn web sites or other infected web sites, so don't click on them.

As you probably know, Your Protection reports fake infections to scare you into purchasing the bogus program. Don't do that. This is nothing more but a scam. However, if you have already purchased it, then you should contact your credit card company as soon as possible and dispute the charges.

Last, but not least, YourProtection may come bundled with TDSS rootkit. This rookit usually hijacks Internet Explorer (other web browsers too) and redirects users to entirely unrelated web sites. Very often those web sites are harmful or full of false information. It's very important to remove TDSS infection. That's why you should follow the removal instructions below very carefully and use suggested malware removal tools. Your Protection virus can be removed manually, but because of possible TDSS infection manual removal is not recommended. If you have any questions about this virus or any information that might help to remove it, don't hesitate and leave a comment. Good luck and be safe!


Your Protection removal instructions:

1. Download the file TDSSKiller.zip and extract it into a folder
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

User Protection associated files and registry values:

Files:
  • C:\Program Files\Your Protection
  • C:\Program Files\Your Protection\Uninstall.exe
  • C:\Program Files\Your Protection\urp.db
  • C:\Program Files\Your Protection\urpext.dll
  • C:\Program Files\Your Protection\urphook.dll
  • C:\Program Files\Your Protection\urpprot.exe
  • C:\Documents and Settings\All Users\Application Data\kjrofjkrtm.dll
  • %Temp%\asd1.tmp
  • %Temp%\mplay32xe.exe
  • %Temp%\urp.dat
  • %Temp%\urpr.dat
Registry:
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "mplay32xe.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Your Protection"
  • HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt "(Default)" = "{5E2121EE-0300-11D4-8D3B-444553540000}"
  • HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt "(Default)" = "{5E2121EE-0300-11D4-8D3B-444553540000}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"

Please share this information with other people:

Thursday, April 1, 2010

Remove Protectedlife.net scam (Uninstall guide)

Protectedlife.net is a misleading web site that promotes the rogue anti-virus program called Antivirus Suite. It seems like this web template (see image below) works quite well because it's being used for a while now. Widely spread malware Antivirus Soft redirects infected users to bogus web sites that look just like Protectedlife.net. Read Remove Av-2010.com scam article for more information.

As for Protectedlife.net, that web site isn't harmful, but it provides clearly false information. Antivirus Suite is not a legitimate program. It's a scam. And you shouldn't purchase it. Otherwise you will simply lose your money. By the way, if you have already purchased Antivirus Suite malware, then you should contact your credit card company and dispute the charges. If you are being constantly being redirected to Protectedlife.net then this is a sign that your computer is infected with Antivirus Suite. In order to remove this virus from your computer please read this article: Antivirus Suite removal instructions. Good luck and be safe!

Screenshot of Protectedlife.net


Share this information with other people:

Remove INFILTRATION ALERT Win32/Nuqel.E popup (Free removal)

"INFILTRATION ALERT" Win32/Nuqel.E is a false system security threat commonly reported by rogue antivirus programs. Recently this fake warning is being used by the rogue anti-virus program called Antivirus Suite. The fake warning reads:

"Antivirus software alert
INFILTRATION ALERT
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan - dropper or similar.
Threat: Win32/Nuqel.E"



If you see this or similar alerts on your computer screen then you are infected with malware. Please follow the Antivirus Suite removal instructions. NOTE: such alert might be used by other rogue programs. Good luck and be safe!

Share this information with other people:

How to remove "Antivirus Suite" fake program (Uninstall guide)

Antivirus Suite is malware classified as a rogue anti-virus program. It is one of many fake antivirus applications that display fake security warnings or pop-ups from the Windows taskbar and report false threats to make you think that your computer is infected with malicious software. It then prompts you to pay for a full version of the program to remove the infections which don't even exist. If you are reading this article then your computer is probably infected with this virus. Thankfully, we've got the instructions to help.



How to remove Antivirus Soft/Antivirus Suite video: (thanks to rogueamp)


This fake program is a clone of Antivirus Soft malware and it uses basically the same "self-protection" methods as its predecessor. It blocks legitimate programs and displays fake warning titled "Application cannot be executed".



Some other fake alerts read:
"Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now."

"Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan - dropper or similar."

The bad news is that Antivirus Suite hijacks Internet Explorer and configures Windows Internet settings to use a proxy server. The proxy server blocks nearly all web sites, especially security related ones and displays this fake warning titled "Internet Explorer Warning - visiting this web site may harm your computer!".



When you attempt to open other programs, AntivirusSuite will state that they are infected and finally will prompt you to pay for a full version of the program to remove the infections that cause Windows OS problems/errors. Of course, this is nothing more but a scam. Don't buy this bogus software.

Screenshot of Protectedlife.net


Antivirus Suite is absolutely needless software. In some cases it can be even dangerous (if it comes bundled with other malware). It goes without saying that you should remove this virus from your computer as soon as possible. Please follow the removal instructions below. Those are the steps that normally work. However, note that in some cases Antivirus Suite may block Safe Mode with Networking or even prevent you from doing anything at all. In such case, you will have to download the files requested in this guide on another computer and transfer them to the infected computer using USB flash drive or any other external drive. If you have any questions or any related information, don't hesitate and leave a comment. Good luck and be safe!


Antivirus Suite removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternative Antivirus Suite removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 – HKCU\..\Run: [wdpayrmq] C:\Documents and Settings\User\Local Settings\Application Data\krtopldrf\woprklstssd.exe
O4 – HKCU\..\Run: [wdpayrmq] C:\Documents and Settings\User\Local Settings\Application Data\krtopldrf\woprklstssd.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555


The process name will be different in your case. But it has the same structure: [RANDOM]tssd.exe 
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Antivirus Suite associated files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]tssd.exe
    By default "Application Data" folder is hidden. To unhide this folder (and others), open the Folder Options in the Control Panel, and on the “View” tab, change the option to “show hidden files and folders”, and click ok.

    Registry values:
    • HKEY_CURRENT_USER\Software\avsuite
    • HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = "
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
    Share this information with other people: